Search This Blog

Thursday, June 30, 2005

[NEWS] Soldier of Fortune II DoS Vulnerability (/ignore command)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

Soldier of Fortune II DoS Vulnerability (/ignore command)
------------------------------------------------------------------------

SUMMARY

<http://sof2.ravensoft.com/> Soldier of Fortune II is :a widely played
FPS game developed by Raven Software and released at May 2002".

A DoS vulnerability in Soldier Of Fortune allows remote attackers to cause
the clients to crash when they are given a higher number then 1024.

DETAILS

Vulnerable Systems:
* Soldier of Fortune II version 1.03
* Soldier of Fortune II version 1.02x

The /ignore command is used for saying to the server that the client don't
want to receive the messages of a specific user. The command is followed
by a number that identifies the ID of the client we want to ignore. This
client ID is then used by the server for positioning into the g_entities
array composed by 1024 entities so if we specify a big ID like 123456789
the server will crash immediately because it tries to access a zone of
memory not allocated.

This is an in-game bug so the bug cannot be exploited if the attacker is
banned or the server is protected by a password not known by him.

Vendor Status:
The game is no longer maintained by the vendor.

Workaround:
The correct way for removing the problem is patching the bug into the
latest SDK available for the game (1.02 + 1.03) and recompiling it. The
patch consists in the adding of the following instruction in g_cmds.c
after "ignoree = atoi( buffer );" at line 1962:

if(ignoree > MAX_GENTITIES) return;

It's enough to compile only the game folder (game.bat) and then zip the
file vm\sof2mp_game.qvm in a new pk3 file like update_fix.pk3.
Instead another and probably simplest way is just that of modifying the
file vm\sof2mp_game.qvm removing the /ignore command.

The easy step-by-step is explained here:
<http://aluigi.altervista.org/patches/q3lamefix.txt>
http://aluigi.altervista.org/patches/q3lamefix.txt

ADDITIONAL INFORMATION

The information has been provided by <mailto:aluigi@autistici.org> Luigi
Auriemma.
The original article can be found at:
<http://aluigi.altervista.org/adv/sof2ignore-adv.txt>
http://aluigi.altervista.org/adv/sof2ignore-adv.txt

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

No comments: